TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023. The report was released on July 2. I generated a rap track on this topic in Russian using Suno. 🙂 English subtitles available.
List of vulnerabilities:
🔻 Remote Code Execution – Microsoft Exchange “ProxyNotShell” (CVE-2022-41040, CVE-2022-41080, CVE-2022-41082)
🔻 Remote Code Execution – Bitrix Site Manager “PollsVotes” (CVE-2022-27228)
🔻 Elevation of Privilege – Polkit “PwnKit” (CVE-2021-4034)
Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):
📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website
List of vulnerabilities:
🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)
My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA. The injected code collects the logins/passwords that users enter to access the Exchange web interface and stores them in a special file. This file is accessible externally. Thus, attackers simply collect credentials to access confidential information and develop the attack further. 🙂
👾 The malware is installed by exploiting an old ProxyShell vulnerability (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
🏛 A total of 30 victims were discovered, including government agencies, banks, IT companies, and educational institutions.
🌍 Countries attacked: Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, Lebanon and others.
🕵️♂️ The fact of compromise can be determined by a specific line in the logon.aspx file.
Today starts an online hackathon organized by the MaxPatrol VM Positive Technologies team. Participants will develop vulnerability detection rules. There were no restrictions on the participation of PT employees, so I also applied and will share my impressions in the Telegram channel. 😏 I am very exited. 🤩
IMHO, involving the community in the development of security content is exactly what will radically improve the completeness and quality of vulnerability/misconfiguration detection in VM products. And that is the very essence of these products.
The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian). I also generated a Vulristics report for these vulnerabilities. There are 5 vulnerabilities in total.
🔻 For 3 vulnerabilities there are exploits and confirmed signs of exploitation in the wild: AuthBypass – TeamCity (CVE-2024-27198), RCE – FortiClientEMS (CVE-2023-48788), EoP – Windows Kernel (CVE-2024-21338).
🔻 For 2 more vulnerabilities there are no signs of exploitation in the wild yet, but there are exploits: EoP – Windows CLFS Driver (CVE-2023-36424), RCE – Microsoft Outlook (CVE-2024-21378).
I reach a wider audience: I talk about trending vulnerabilities in the SecLab News show. 🤩 It’s in Russian, but the automatically generated subtitles combined with automatic translation do a good job. The “Trending VM” section starts at 16:05. 🎞
As for the content, this is the February digest of trending vulnerabilities, but presented in a more lively format: simple phrases, with all sorts of memes, jokes and so on. Typical edutainment. 😏 The level of production demonstrated by the SecLab News team is, of course, amazing. I haven’t seen anything better yet. Very professional guys, it’s a pleasure to work with them. 🔥
In general, this is a trial attempt – the further fate of the section (and maybe not only the section) depends on you 😉.
➡️ Please follow the link, watch the episode, like it, leave a comment about the section. What you liked and what could have been done better.
We are really looking forward to your feedback. 🫠
I watched the recording of the Positive Technologies webinar “How to use MaxPatrol VM API: theory and practice“. On the theoretical part, everything is clear: there is a documented API; it is the same for integrations and Web GUI. 🙂
On the practical side they showed:
🔻 How to use the MaxPatrol API in the Nightingale REST client (examples on GitHub).
🔻 Unofficial PTVM SDK. A small Python script with one class for working with the MaxPatrol API.
🔻 Positive CLI for MaxPatrol API. So, automation can be done simply with shell scripts! 😇 A much more functional project than the SDK, also in Python. The screenshots show the vulnerabilities with criticality calculated using FSTEC methodology and trending vulnerabilities with an exploit.
🔻 How to use the MaxPatrol API in the low-code tool n8n (e.g. sending query results to Telegram).
Links to projects are on the addons page.
Show it to your colleagues who work with MaxPatrol VM. 😉
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.